Postman collection for application management

This guide helps you to test the CyberArk Identity application management related APIs using postman collection. Postman is an HTTP testing API application that allows you to monitor requests and responses.


Import postman collection

Run in PostmanRun in Postman

Get started with postman collection

Once the postman collection is imported, the following variables have to be pre-filled to run the collection based on the functionality you want to try out.


Authentication is required to access the APIs related to application management. The authenticated user should contain application management administrative rights to access the APIs.

Variable nameDescription
tenant_urlThe URL of the CyberArk Identity tenant ( The URL will be used for all API requests to CyberArk Identity.
usernameThe username of the CyberArk Identity directory user.
passwordThe password of the CyberArk Identity directory user.
app_keyThe application key of the app. The app key can be retrieved from the settings tab of the app once the app is created.
admin_tagTags for the applications.
descriptionDescription of the application.
iconIcon URL for the application.
icon_uriIcon URL for the application.
nameName for the application.
organization_idOrganization ID to which the application should be added.
service_nameApplication ID for the application.
show_in_user_portalA boolean that specifies whether the application should be displayed in the user portal or not.
app_namesThe names of the applications that are to be imported from the templates.
rightsThe rights granted to the user for applications. i.e., Grant, View, Manage, Run etc.,
directory_service_uuidThe UUID of the directory service to which the user belongs.
tag_namesThe tags that need to be added to the applications.

The following variables should be pre-filled to create or update OpenID Connect applications:

Variable nameDescription
oidc_allow_login_byThe value tells whether the RP or CyberArk Identity initiates the login.
oidc_allow_refreshBoolean value to enable/disable refresh tokens.
oidc_allow_scope_selectBoolean value to enable/disable scope selection on consent pop-up.
oidc_client_secretA unique code that an authorization service issues when the service registers the application. You can think of it as the password for the client application.
oidc_confirm_consentBoolean flag to enable/disable OIDC consent.
oidc_scope_nameName of the scope to be added.
oidc_scope_typeThe type of scope. i.e., API/Custom Claims
oidc_allowed_rest_APIsList of regexes of the allowed rest APIs.
oidc_post_logout_URIsList of authorized post-logout URIs.
oidc_redirectsList of authorized redirect URIs.
oidc_refresh_token_lifetimeThe refresh token lifetime.
oidc_token_lifetimeThe lifetime of access and ID tokens.
oidc_scriptThe script to add custom claims.
oidc_relying_party_urlURL of the relying party application.

The following variables should be pre-filled to create or update SAML applications:

Variable nameDescription
saml_spconfig_methodAn integer value that takes the SP configuration method. It can either be:

1 - Metadata
2 - Manual Configuration
saml_spmetadata_urlThe SP metadata URL.
saml_spmetadata_xmlThe SP metadata XML.
saml_audienceSP Entity ID, also known as SP Issuer or Audience.
saml_acs_urlACS URL
saml_recipient_SameAsAcsUrlBoolean value that specifies if the recipient value is the same as ACS URL.
saml_sign_methodThe SAML sign method. It can either be "response," "Assertion," or both.
saml_name_id_formatThis is the Format attribute value in the element in SAML Response. Select the NameID Format that your Service Provider specifies to use. If SP does not specify one, select 'unspecified.'
saml_sp_slo_urlSP single logout URL
saml_encrypt_assertionA boolean value that specifies if the SAML assertion should be encrypted or not.
saml_encryption_thumbprintEncryption certificate thumbprint.
saml_relay_stateThe relay state specified by the SP.
saml_authn_context_classSelect the Authentication Context Class that your Service Provider specifies to use if SP does not specify one, select "unspecified."
saml_attributesThe SAML attributes that have to be sent in the SAML assertion.
saml_scriptThe script is required for more complex logic for attribute mappings for your SAML response

The following are some additional variables that should be pre-filled to create or update OAuth 2.0 applications along with OIDC applications:

Variable nameDescription
oauth_allow_publicA boolean flag that specifies whether public clients should be allowed or not. This is required for authorization code with PKCE flow.
oauth_allowed_authThe list of allowed grant types.
oauth_client_id_typeThe type of the client ID. It can be "Anything," "List," or "Confidential Client."
oauth_clientA boolean flag that specifies if it is an OAuth client or not.
oauth_token_typeThe type of the OAuth token. There are two types of tokens: JwtRS256, and Opaque.